Save content
Have you found this content useful? Use the button above to save it to your profile.
OPen Banking: Online Bank Two Factor Authentication stock photo... Save Online Bank Two Factor Authentication Online Bank Two Factor Authentication. Ecommerce Transfer App Adult Stock Photo Description Online Bank Two Factor Authentication. Ecommerce Tran
iStock_AndreyPopov

FCA solicits removal of 90-day Open Banking reauthorisation

by

The current FCA consultation paper on payment services and Electric money proposes to exempt fintechs from the 90-day reauthorisation requirement of using Open Banking data. The decision could have big consequences for the future of Open Banking.

12th May 2021
Save content
Have you found this content useful? Use the button above to save it to your profile.

The Financial Conduct Authority (FCA) has published consultation paper CP21/3: ‘Changes to the SCA-RTS and to the guidance in ‘Payment Services and Electronic Money – Our Approach’ and the Perimeter Guidance Manual’.

The paper proposes the following changes to the SCA-RTS (the technical standards on strong customer authentication and common and secure methods of communication):

  • creating a new SCA exemption in Article 10A so that customers do not need to reauthenticate every 90 days when accessing account information through an AISP 

  • mandating the use of dedicated interfaces (such as APIs) by account providers for certain retail and SME payment accounts 

  • amending requirements relating to technical specifications, testing interfaces and fallback interface 

  • allowing ASPSPs with a deemed authorisation under TPR to rely on exemptions from setting up a fallback interface granted by home state competent authorities 

  • amending the single and cumulative transaction thresholds for contactless payments, increasing the first from £45 to £100 (or potentially a maximum of £120) and the latter from £130 to £200. 

According to the FCA, it has identified “barriers’ to successful competition and innovation in the UK payments landscape caused by requirements in the SCA-RTS for Open Banking. 

The consultation paper proposes to make amendments to these rules that will support competition and innovation whilst maintaining the safety and security of open banking. 

Following the completion of Brexit, the consultation also proposes to update its guidance to reflect the EBA’s and the Commission’s guidance issued prior to IPCD to ensure its guidance remains relevant in the UK.

The benefits of open banking have long been heralded as transformational for consumers and businesses with the technology opening the floodgates to a wave of new financial products. 

Open banking allows third-parties to access the financial information your bank holds securely and with your consent. 

The ‘opening up’ of financial information, in turn, creates a endless possibilities for financial technology firms to produce services that rely on the information your bank holds.

Having been at the forefront of the implementation of open banking and with a reputation as a world-leading regulatory body, it seems clear that the FCA wants to retain that mantle and press forward with refining the regulations. 

The 90-day rule

The biggest proposed change in the consultation is to the 90 days re-authentication rule. 

Initial legislation included a strict 90-day reauthorisation requirement under the SCA-RTS standards. This meant that every 90 days, service providers that use a customer’s financial information held by a bank must be reauthorized to maintain access to that information.

Despite being what might first have been considered a minor regulation aimed at bolstering security, the 90-day rule has now become a headache for some open banking service providers. 

The open banking service providers or third-party providers (TPPs) argue that the rule stifles innovation and more profoundly, goes against the very principles of competition and creativity that open banking seeks to promote. 

Ultimately, TPPs like Xero say the 90-day reauthorisation rule makes life harder for businesses as they struggle to reapply their banking credentials and wastes time for the accountants that must guide businesses through the process. 

FCA taking feedback onboard

It seems that FCA are now listening to those arguments.

In the consultation paper the FCA acknowledged that the reauthorisation rule has proven “burdensome for customers, creating friction in the user experience and hindering uptake of open banking services”. 

The report adds that the 90-day rule has led to a significant loss of customers when the reauthentication becomes required. The FCA estimates that around 40 percent of customers leave at this point even though they are satisfied with the service. 

The change of tack by the FCA, proposing to make third-party providers (TPPs) exempt from the 90-day rule so long as they re-authorise in-app could lead to huge ramifications in the open banking space. 

What impact will the exemption have?

Currently, accountants have to chase clients at least four times a year to refresh their bank feed for their bookkeeping. Under these plans, that would no longer be the case, saving accountants time, keeping clients happy and allowing the TPPs to focus on bringing new services. 

Importantly, the FCA recognises that the removal of the 90-day rule for TPPs in this way would not compromise security. 

How will the changes affect audit?

For audit, the mix of significant efficiency gains from moving away from archaic paper and pdf-based processes, the quality gains from obtaining client transactions directly from source and the fact that most audits only happen annually, means the 90-day rule has not had a negative impact on uptake.

But, as the audit industry continues undergoing dramatic change and slowly moves towards an always-on real-time audit, these slight changes in regulation could bring significant benefits in future. 

Looking ahead

Open banking services are currently used by over 3 million consumers and businesses in the UK and that number continues to grow exponentially. Between 2018 and 2020, API call volume grew from 66.8 million to nearly 6 billion.

Ultimately, the rapid uptake of open banking in the UK alongside the changes to the 90 day rule is set to drive innovation and growth by giving consumers more control of their own data. The UK is in a very strong position to retain its position as a global fintech leader in a post-pandemic world.

Replies (19)

Please login or register to join the discussion.

ghm
By TaxTeddy
12th May 2021 15:26

"The report adds that the 90-day rule has led to a significant loss of customers when the reauthentication becomes required."

This suggests that the 90 day rule is a good thing if it encourages users to periodically re-appraise the value of the service. If they are choosing not to continue that seems to be a positive decision for their business, based on their experience of this facility.

Thanks (0)
blue sheep
By NH
12th May 2021 16:40

Thank goodness for that, one of our biggest headaches, it takes long enough to get a client to sign up in the first place, totally agree that the 90 day thing means many fall off when they do not want to but just cant be bothered - bring it on

Thanks (2)
John Toon
By John Toon
13th May 2021 09:57

For a tech savvy end user the 90 day rule is a minor irritation but a disruption to the use of bank feeds, for example, in accounts software. For those not tech savvy, particularly for accountants doing bookkeeping on behalf of these clients it's a major headache and one that this proposed change will definitely assist.

The major issue with openbanking authorisations is the vast majority of banks don't present these clearly in their apps/online so it can be a real pain to see what/who you've connected to and disable these connections if no longer of value. Couple that with non-tech savvy users who may rarely or infrequently log into apps/online banking and there is a small risk that these users could be targeted by those with nefarious intentions.

There are other safeguards in place though but as openbanking payments become more prevalent this is an area where cause for concern could lie.

With the opportunity to tie real time bank data, with near real time cloud accounting data, I can see a move to near realtime auditing getting closer particularly if e-invoicing starts to creep into the mainstream in the UK.

Thanks (0)
avatar
By JD
13th May 2021 10:12

About time as far as accounting is concerned. It completely defeats the point and benefits of automated feeds into accounts software.

Thanks (1)
avatar
By AdShawBPR
13th May 2021 10:39

Big tick from me. Tech savvy or not it's a complete pain having the 90 day rule.

Thanks (1)
avatar
By BryanS1958
13th May 2021 11:18

I would be interested to know what percentage of the public actually asked for this in the first place and why there isn't the option for users to opt out of the 90 day re-authentication. It is a real pain to get clients to keep re-authenticating and 100% of my clients would be happy to opt out of the process.

It's a bit like getting letters for bank charges - I constantly get letters from my banks telling me I have paid Nil or under £10 of bank charges, normally comprising an envelope and several sheets of paper - a cost to the bank, and ultimately bank customers and bad for the environment. I don't care and would like to opt out, but the banks say I cannot - absolutely ludicrous.

Thanks (2)
wolfy
By rob winder
13th May 2021 11:37

Glad to here this. I believe Xero are making 2 step authentication mandatory. This being the case, getting the client to set up/ go through 2 step authentication and reauthorise every 90 days will be a nightmare. I must cumulatively waste hours if not days every year hand holding clients hands as they reauthorise.

Thanks (0)
avatar
By dmmarler
13th May 2021 13:39

Regulation is put in place for a purpose - building regs come to mind. The FCA should tread carefully or it could open up "endless possibilities" for fraud.

Thanks (0)
avatar
By dmmarler
13th May 2021 13:39

Regulation is put in place for a purpose - building regs come to mind. The FCA should tread carefully or it could open up "endless possibilities" for fraud.

Thanks (0)
avatar
By dmmarler
13th May 2021 13:39

Regulation is put in place for a purpose - building regs come to mind. The FCA should tread carefully or it could open up "endless possibilities" for fraud.

Thanks (0)
Replying to dmmarler:
Stepurhan
By stepurhan
14th May 2021 09:15

If you can explain what purpose the 90 day rule for refreshing bank feeds to software serves, I'm sure we would all be interested to hear it.

Access to the accounting software is restricted, so the information is not being released to all and sundry. Also it only allows those with access to the accounting software the ability to see historical transactions, not create new ones. I, and many others it seems, just cannot see what security issue the 90 day rule is addressing.

Thanks (0)
Replying to stepurhan:
John Toon
By John Toon
14th May 2021 09:51

The 90 day rule was put in place to both encourage competition and for end-user security. By having to reconnect you're naturally given the opportunity to consider if the connection has some value to you whilst on the flip side for a thing such as a bank feed to Xero etc it's a pain and inconvenience. I suspect one that wasn't considered when the rules were being written, particularly as this was being done 5 or 6 years ago when cloud accounting was still in its relative infancy in the UK and further behind in the EU where this originated.

Openbanking regulation's intent is to foster competition for consumers and SME's and one of the things cited was the relative inertia of bank switching, and dominance of the high street banks of these markets, so you can understand the intentions of trying to make consumers and businesses think twice about these connections.

Thanks (0)
Replying to johnt27:
Stepurhan
By stepurhan
17th May 2021 22:49

johnt27 wrote:

The 90 day rule was put in place to both encourage competition and for end-user security.


This is a largely meaningless phrase that does not really explain the benefit to the consumer.

Encourage competition - Makes the user consider whether they want to continue to use Xero or the bank they are with? Some people do review both these things regularly, but most want to get on with running their business.

End-user security - It is likely that the software is secure anyway (at least by a password and often by two-factor authentication as well). Even if it isn't, without the bank feed the user just uploads the same information on a semi-regular basis. They still need to keep their accounting records up to date (legally required to for companies) so the information will still be there. At most there is a delay in it arriving, but it is no more secure.

Thanks (0)
avatar
By Hugo Fair
13th May 2021 13:55

"The benefits of open banking have long been heralded as transformational for consumers and businesses with the technology opening the floodgates to a wave of new financial products.
Open banking allows third-parties to access the financial information your bank holds securely and with your consent.
The ‘opening up’ of financial information, in turn, creates a endless possibilities for financial technology firms to produce services that rely on the information your bank holds."

So what benefits accrue to the bank account-holder? And what protections are they afforded?

Is it a bit like the push for 'smart' utility meters ... where the only immediate benefits are for the service suppliers, with the possibility of longer-term benefits for those running the infrastructure?

Thanks (1)
Replying to Hugo Fair:
avatar
By JD
13th May 2021 14:48

or MTD, where in reality the benefit is HM Revenue and Customs rather than the taxpayers

Thanks (0)
Replying to Hugo Fair:
John Toon
By John Toon
14th May 2021 09:59

The benefits for consumers and businesses are there if you're willing to look for them...

No more insecure bank feeds through 3rd parties and no more paid for secure bank feeds either.

Access to bank account services for those consumers typically excluded

Lower cost cross border payments

Lower cost payment services

Integrated payment solutions

Low fee investment services allowing the poorest in society to save what they can without unnecessary erosion of said investments and allow them to diversify investments in a way that traditionally only those with decent sums of disposable income could do so

I could go on

Thanks (0)
Replying to johnt27:
avatar
By dmmarler
14th May 2021 15:22

Typically excluded consumers are those without any connections or without any equipment. They also include those without any banking service at all. We should worry about them too.

Thanks (0)
avatar
By Alan Webb
14th May 2021 13:11

This need to get clients to re authenticate every 90 is regarded by clients as us making a bloody nuisance of ourselves and entails them having to do the same job over and over again. It is universally regarded as an irritant and needs to be addressed

Thanks (2)
avatar
By BryanS1958
20th May 2021 14:34

Businesses and consumers should be allowed to exercise their own discretion and opt out if they want to. I imagine 80-90% (probably 100% of my clients) would happily do so if given the choice. It just adds more administration and costs for most of our clients to have to re-approve every 90 days, with no discernible benefit.

If policy makers really wanted to encourage competition they would insist that data was freely, fully and easily transferable from one platform to another e.g. Xero to QBO, Iris to Digita, etc, instead of tinkering around the edges.

Thanks (0)